Additional Materials:

Contact:

The Office of Special Counsel (OSC) is charged with safeguarding the merit system by protecting federal employees and applicants for employment from prohibited personnel practices, such as discrimination, nepotism, and retaliation against whistleblowing. An individual who feels that a prohibited personnel practice has occurred may file a claim with OSC, which OSC then investigates and on which it may seek corrective or disciplinary action through negotiation with agencies or prosecution of claims before the Merit Systems Protection Board. In addition, federal employees, former federal employees, and applicants for federal employment may also disclose to OSC alleged wrongdoing by federal employees (termed whistleblower disclosures), including violations of law, gross mismanagement, or abuse of authority. OSC also provides advisory opinions and enforces Hatch Act restrictions on the political activities of individuals employed by the federal and District of Columbia governments as well as certain state and local government employees in connection with programs financed by federal funds. OSC also prosecutes claims before the Merit Systems Protection Board on behalf of federal employees, former federal employees, and applicants for federal employment under the Uniformed Services Employment and Reemployment Rights Act of 1994 (USERRA), which protects the employment and reemployment rights of federal and nonfederal employees who leave their employment to perform military service and prohibits discrimination against individuals because of their military service. OSC reports annually to Congress on the number of all types of cases it receives, processes, and closes as well as the disposition of those cases. cases. In the course of two prior reviews at OSC, we found discrepancies in the data generated by OSC's case tracking system--OSC 2000--in the number of cases pending at the beginning of a fiscal year as well as cases received and closed during the year. This report responds to Congress's concerns about the possibility that the data in OSC 2000 may be unreliable and that in turn OSC data on caseloads may be in error. As discussed, our objectives were to (1) identify what actions OSC has taken to help ensure the reliability of its case tracking system and related data and (2) determine whether OSC has corrected the types of data discrepancies we identified during previous work.

Although OSC officials described actions that they said had been taken to help ensure the reliability of OSC 2000 and its related data, they did not provide us with sufficient documentation to demonstrate that fundamental system controls and safeguards are in place and operating as intended. The absence of this documentation can be attributed to OSC's failure to follow a structured system development life cycle approach for OSC 2000--an approach in which system requirements are documented, along with tests of and changes to the system. Failure to follow a structured system development life cycle approach for OSC 2000 is contrary to recognized system development life cycle management practices and increases the risk that the system will not function as intended. Controlling risks in areas such as information security is especially important to protect the personal information of complainants from inadvertent or deliberate misuse, fraudulent use, improper disclosure, corruption, or destruction. In comparing electronic data in OSC 2000 to the source case files for 158 randomly selected cases, we found that the three data elements used in OSC's annual reports to Congress--date received, date closed, and case type--are sufficiently reliable for reporting purposes but that OSC continues to have small discrepancies in summary data provided to us similar to those previously identified during our work in 2004. These variances in the summary data are primarily caused by inconsistent queries to OSC 2000 and appear to be within OSC's acceptable error rate, which officials have stated is (-)+ 3 percent. However, any untested data elements in OSC 2000 may be in doubt because of OSC's failure to follow structured system life cycle management practices. We recommend in this report that OSC develop a system development life cycle approach, ensure that such an approach is fully implemented before making additional system changes, and develop consistent system queries.

Recommendations for Executive Action

Status: Closed - Not Implemented

Comments: In April 2011, OSC officials provided documentation of its System Development Life Cycle (SDLC) and discussed the contents of the documentation with members of GAO's Information Technology and Strategic Issues teams. GAO assessed the contents of the documentation provided by OSC officials and determined that the OSC had not fully implemented the recommendation.

Recommendation: The Special Counsel should direct OSC's Chief Information Officer (CIO) to define an System Development Life Cycle (SDLC) approach that is consistent with relevant federal guidance and practices at successful information technology organizations, including the minimum security requirements outlined in National Institute of Standards and Technology guidance.

Agency Affected: Office of Special Counsel

Status: Closed - Not Implemented

Comments: In April 2011 OSC officials told GAO that they currently have no planned replacement for the OSC 2000 database system and have made only very minor incremental changes to OSC 2000. OSC officials said that they plan to follow the SDLC approach in the future if they make any significant changes to OSC 2000. Since OSC is not planning on making any significant changes to OSC 2000 and it not planning on replacing OSC 2000, the GAO team determined that this recommendation is not currently applicable and therefore not implemented.

Recommendation: The Special Counsel should direct OSC's CIO to ensure that the SDLC is fully implemented as part of any planned changes to or replacements for OSC 2000.

Agency Affected: Office of Special Counsel

Status: Closed - Implemented

Comments: In July 2007 OSC developed and implemented standardized SQL queries as a part of its OSC 2000 system and began using these queries for reporting to Congress on OSC's inventory of cases.

Recommendation: The Special Counsel should direct OSC's CIO to develop and utilize consistent standard SQL queries for reporting on the inventory of cases.